function jwt_issue(userId, userName) {

    // flags: HS256:S RS256:I ES256:F
    // header: eyJhbGciOiJ{$flag}UzI1NiIsInR5cCI6IkpXVCJ9.   let algo = 'ES256'

    let alg
    let algo
    let typ = 'Uy' // JWS
    switch (SYSTEM_CONFIG.find(item => item.name === 'system_jwt_algo').value) {
        case 'HS256': // HMAC
            alg = 'I'
            typ = 'VC' // JWT
            break
        case 'RS256': // RSA
            alg = 'S'
            algo = crypto.rsa
            break
        case 'SS256': // SM2
            alg = 'T'
            algo = crypto.sm2
            break
        case 'ES256': // ED25519
            alg = 'F'
            algo = crypto.ed25519
            break
        default:
            throw new Error('alg not support')
    }

    // header
    let header = `eyJhbGciOiJ${alg}UzI1NiIsInR5cCI6IkpX${typ}J9`

    // payload
    let payload = encoding.from(JSON.stringify({
        uid: userId,
        unm: userName,
        iss: 'https://l-l.cn',
        sub: 'xMagic',
        jti: ex.suid().base58(),
        nbf: parseInt(new Date().getTime() / 1000),
        iat: parseInt(new Date().getTime() / 1000),
        exp: parseInt((new Date().getTime() + 1000 * 60 * 60 * 24 * 7) / 1000),
    })).toBase64.url.encoding(true).toString()

    // signature
    // let pair = algo.new()

    // console.log(`{publicKey:'${pair.publicKey}',\nprivateKey:\n'${pair.privateKey}'}`)

    let signature = algo.sign(SYSTEM_CONFIG.find(item => item.name === 'system_jwt_private').value, payload).toBase64.url.encoding(true).toString()

    let token = `${header}.${payload}.${signature}`

    return token

    // console.log(`token:\n${token}`)

    // let data = token.split('.')[1]
    // let code = token.split('.')[2]
    // console.log(`code:\n${code}`)
    // let isVerfied = algo.verify(pair.publicKey, data, encoding.from(code).toHEX.decoding().Bytes)
    // console.log(`isVerified:\n${isVerfied}`)
    // os.exit(0)
}

function jwt_parse(token) {
    let data = token.split('.')[1]
    let code = token.split('.')[2]
    let algo
    switch (SYSTEM_CONFIG.find(item => item.name === 'system_jwt_algo').value) {
        case 'HS256': // HMAC
            algo = crypto.rsa
            break
        case 'RS256': // RSA
            algo = crypto.rsa
            break
        case 'SS256': // SM2
            algo = crypto.sm2
            break
        case 'ES256': // ED25519
            algo = crypto.ed25519
            break
        default:
            throw new Error('alg not support')
    }
    let isVerify = algo.verify(SYSTEM_CONFIG.find(item => item.name === 'system_jwt_public').value, data, encoding.from(code).toBase64.url.decoding(true).Bytes)
    if (!isVerify) {
        return undefined
    }
    // console.log(data)
    data = encoding.from(data).toBase64.url.decoding(true).toObject()
    return data
}